CVE-2026-33244

ADVISORY - github

Summary

When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

EPSS Score⁠: 0.00029 (0.086)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-79⁠

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - github

CWE-79⁠

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impacted images

Advisories

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.